Skip to content

App proto logging v2#14760

Open
regit wants to merge 4 commits intoOISF:mainfrom
regit:app_proto_logging-v2
Open

App proto logging v2#14760
regit wants to merge 4 commits intoOISF:mainfrom
regit:app_proto_logging-v2

Conversation

@regit
Copy link
Contributor

@regit regit commented Feb 6, 2026
edited
Loading

Make sure these boxes are checked accordingly before submitting your Pull Request -- thank you.

Contribution style:

Our Contribution agreements:

Changes (if applicable):

Link to ticket: https://redmine.openinfosecfoundation.org/issues/7888

Describe changes:

  • implement version option below eve-log section
  • implement app_proto logging for version 2 of eve-log
  • log version of event schema in the event

Provide values to any of the below to override the defaults.

SV_BRANCH=OISF/suricata-verify#2903

regit added 3 commits February 6, 2026 07:22
@regit
eve: move EveAddAppProto to main code
00f03e9 
Moving it to be able to use it globally later.

Ticket: OISF#7888
@regit
eve: add version field
8b4b42c 
This will be used to code the version of the log to use so backward
compatibility can be achieved: upgrading Suricata without changing
the configuration should not trigger major changes in the log
format.
@regit
eve: log app_proto in all event types
a730a24 
The app_proto is logged in a small subset (fileinfo, flow,
frame, netflow) in Suricata when it is an interesting information
for all events type as it includes detection information and protocol
transition.

This patch updates the code to log app_proto in all events if
there is a Flow available. It is making use of EveAddAppProto
function to get interesting information such as original
application protocol or difference between server and client
side.

Backward compatibility is preserved as app_proto information
will only be logged when the eve-log.version is greater or
equal to 2.

Ticket: 7888
@regit regit requested review from a team and victorjulien as code owners February 6, 2026 06:37
@regit regit mentioned this pull request Feb 6, 2026
Closed
5 tasks
@regit
eve: log version starting with version 2
48ed06d 
Log the version of EVE used in the event.
@regit regit force-pushed the app_proto_logging-v2 branch from 548c28a to 48ed06d Compare February 6, 2026 07:14
@codecov
Copy link

codecov bot commented Feb 6, 2026

Codecov Report

❌ Patch coverage is 82.69231% with 9 lines in your changes missing coverage. Please review.
✅ Project coverage is 82.15%. Comparing base (364d2c0) to head (48ed06d).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main   #14760   +/-   ##
=======================================
  Coverage   82.15%   82.15%           
=======================================
  Files        1003     1003           
  Lines      263674   263708   +34     
=======================================
+ Hits       216611   216649   +38     
+ Misses      47063    47059    -4
Flag Coverage Δ
fuzzcorpus 60.19% <63.46%> (-0.01%) ⬇️
livemode 18.85% <38.46%> (+0.11%) ⬆️
netns 18.57% <32.69%> (+0.02%) ⬆️
pcap 44.60% <48.07%> (-0.03%) ⬇️
suricata-verify 65.35% <82.69%> (-0.10%) ⬇️
unittests 59.22% <11.53%> (-0.02%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@victorjulien victorjulien Awaiting requested review from victorjulien victorjulien is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@regit